Understanding Cyber Collateral Damage Sasha Romanosky* & Zachary Goldman** INTRODUCTION In conventional (kinetic) U.S. warfare, there exists a standard methodology for identifying and assessing collateral damage (i.e. accidental damage to civilian targets). Indeed, the U.S. Department of Defense (DoD) relies on a governing document that defines the policy regarding unlawful military targets (no-strike targets), and methods for estimating collateral damage from kinetic military operations.1 The definitions in this document are clear, and the harms against which it aims to protect are tangible because they relate to persons and property. The munitions in the military’s arsenal are defined and well-known, and their properties—blast radius, amount of force delivered, and the like—are well understood. While accidents of course do occur, the anticipated effects of a kinetic operation (collateral or otherwise), are generally straightforward to anticipate, assess, and manage. However, given the interconnectedness of cyber and cyber-physical systems, direct, indirect, and collateral effects can be much more difficult to predict, rendering ineffective traditional approaches to collateral damage estimation (CDE). Indeed, even the notion of clearly defining and considering “damage” within the cyber realm is challenging. For example, how does one estimate harms resulting from an outage of network connectivity caused when an attacker exploits a software vulnerability? How can one evaluate and weigh the collateral impact of a cyber intervention on incommensurable values, such as exposing the IP addresses of anonymous Tor users in order to arrest child pornographers, against international comity concerns that might be implicated by remotely searching foreign computers in contravention of traditional diplo- matic and law enforcement norms? We consider two main questions in this Article. First, how can traditional military doctrine be adapted to accommodate the unique challenges of estimat- ing collateral damage in the cyber domain? And second, how can domestic U.S. * Associate, RAND Corporation. © 2017, Sasha Romanosky & Zachary Goldman. ** Executive Director, Center on Law and Security, New York University School of Law. Acknowledgements: We would like to thank Lily Ablon, David Aitel, Krista Auchenbach, Charles Brown, Bob Elder, Allan Friedman, Martin Libicki, Eric Jensen, Mark Sparkman, David Senty, Michael Warner, and Sean Watts for their valuable comments and insights. We would especially like to thank Cynthia Dion-Schwarz for her inspiration, and participants of the Legal and Policy Dimensions of Cybersecurity workshop at George Washington University School of Media and Public Affairs (Sept 28-29), 2016. 1. CHAIRMAN OF THE JOINT CHIEFS OF STAFF,NO-STRIKE AND THE COLLATERAL DAMAGE ESTIMATION METHODOLOGY,DEPARTMENT OF DEFENSE, CJCSI 3160.01 (2009). Note, the version referred to within this document, obtained via a freedom of information act request by the ACLU, is unclassified and no longer for official use only (FOUO). 233 234JOURNAL OF NATIONAL SECURITY LAW &POLICY [Vol. 9:233 law enforcement agencies develop a similar conceptual framework for anticipat- ing and evaluating collateral damage? The purpose of this Article is not to reproduce existing literature regarding cyber war, military doctrine, or international laws of war, nor do we attempt to mathematically or empirically model computer dependencies. Indeed, we draw on these (and other) resources in order to understand how damage, and therefore collateral damage, may occur from cyber and kinetic operations in a range of contexts. The fundamental question is whether unintended effects on data alone can constitute collateral damage requiring operational planners in the military and law enforcement context to weigh that inadvertent harm against lawful objec- tives during the mission planning and execution process. We answer that question in the affirmative, while recognizing that the precise contours of what constitutes collateral damage in cyberspace, relative to traditional canons, re- main to be defined. That task will remain difficult while the vast majority of cyber operations remain secret and states remain unwilling to speak publicly about the process for planning and executing them. But as a greater number of such operations see the light of day and governments become less reluctant to divulge information, over time a more robust standard can be developed. For now, the main task is to identify the conceptual issues with which such a framework must grapple. This Article will first define key terms for evaluating cyber collateral damage. We will then describe the analytical process for evaluating collateral damage in the kinetic context. Finally, we will present a framework for evaluating collat- eral damage relevant to cyber operations and show how that framework can apply to both law enforcement and military cyber operations. I. DEFINITIONS AND BACKGROUND For the key terms below, the definitions are drawn from the military context (as that is where the most mature framework resides). However, they are relevant in non-military situations as well and will therefore be used throughout this Article. A. Cyberspace Operations While formal definitions of “cyber” and “cyber operations” (or, “cyberspace operations”) are evolving, for the purpose of this Article, we consider cyber operations to include the “(1) use [of] cyber capabilities, such as computers, software tools, or networks: [that] (2) have a primary purpose of achieving objectives or effects in or through cyberspace.”2 More specifically, U.S. military cyber operations consist of three types: offensive cyber operations (OCO), 2. OFFICE OF THE GEN.COUNSEL, U.S. DEP’TOFDEF., DEPARTMENT OF DEFENSE LAW OF WAR MANUAL § 16.1.2 (2015). 2017]UNDERSTANDING CYBER COLLATERAL DAMAGE 235 defensive cyber operations (DCO), and DODIN operations.3 OCO refers to cyberspace activities intended to project power dodin (i.e. cause an effect) “in and through cyberspace.”4 DCO are defensive cyber activities taken in response to an adversary’s actions (such as an attack, or imminent threat), while DODIN operations are those typically known as cyber security efforts that protect one’s computer network and information from compromise.5 In addition to these activities, Joint Publication 3-12 defines three “layers” of cyberspace operations: physical network, logical network, and persona.6 The physical network layer refers to the geographic location of the computers, servers, networking equipment, cables and wiring, and includes the hardware and software components.7 The logical layer is a higher level of abstraction and refers to the application layer of internet communication, consisting of, for example, a website, database, email application, etc.8 Each of these applications may serve, store and process data that physically resides in multiple locations simultaneously (striped or mirrored across many storage devices or networks).9 Finally, the persona layer represents the digital identity of an individual or entity, such as a social media user account.10 Further, as described in Joint Publication 3-12, there may be a one-to-one, many-to-one, or one-to-many relationship between an actual individual (or individuals) and a digital persona (or personas), which may include many components of the physical and logical network layers.11 B. Collateral Damage The U.S. Department of Defense (DoD) defines collateral damage as the “unintentional or incidental injury or damage to persons or objects that would not be lawful military targets in the circumstances ruling at the time.”12 3. CHAIRMAN OF THE JOINT CHIEFS OF STAFF,JOINT PUBLICATION 3-12 at vi (2013). 4. Id. 5. Id. Note that the terms computer network defense (CND), computer network attack (CNA) or computer network exploitation (CNE) are still employed in some contexts, though are deprecated. UNITED STATES ARMY,UNITED STATES ARMY TRAINING AND DOCTRINE COMMAND 19 (2010). In that context, CND refers to actions taken “to protect, monitor, analyze, detect and respond to unauthorized activity” within a computer network. CNA refers to actions taken “through the use of computer networks to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves,” and CNE refers to “enabling operations and intelligence collec- tion capabilities conducted through the use of computers.” See U.S. DEP’TOFDEF., DOD DICTIONARY OF MILITARY AND ASSOCIATED TERMS 277 (2017). 6. JOINT PUBLICATION 3-12, supra note 3, at I-2. 7. Id. 8. Id. at I-3. 9. Id. 10. Id. at I-4. 11. Id. 12. CHAIRMAN OF THE JOINT CHIEFS OF STAFF,JOINT PUBLICATION 3-60 at GL-6 (2007) (emphasis added). 236JOURNAL OF NATIONAL SECURITY LAW &POLICY [Vol. 9:233 Similarly, the Program on Humanitarian Policy and Conflict Research at Har- vard University defines collateral damage as “incidental loss of civilian life, injury to civilians and damage to civilian objects or other protected objects or a combination thereof, caused by an attack on a lawful target.”13 Essentially, these definitions amount to accidental harm to non-military targets, and they are narrow in their description of both harm (considering only physical or property damage), and the object of any potential harm—objects or persons that would not be lawful to target in the first instance. For example, consider a bomb that destroys a military facility, but which also damages an adjacent military com- mand center and a civilian school. In that instance